handle sentinel mismatch with a specific message

johnstcn · johnstcn · commit 128ad09c1582 · 2023-08-29T15:12:57.000Z
diff --git a/enterprise/coderd/coderd.go b/enterprise/coderd/coderd.go
@@ -67,6 +67,9 @@ func New(ctx context.Context, options *Options) (_ *API, err error) {
 		cryptDB, err := dbcrypt.New(ctx, options.Database, options.ExternalTokenEncryption)
 		if err != nil {
 			cancelFunc()
+			if xerrors.Is(err, dbcrypt.ErrSentinelMismatch) {
+				panic(`Coder has shut down to prevent data corruption: your configured database is encrypted with an unknown external token encryption key. Please check your configuration and try again.`)
+			}
 			return nil, xerrors.Errorf("init dbcrypt: %w", err)
 		}
 		options.Database = cryptDB
diff --git a/enterprise/dbcrypt/dbcrypt.go b/enterprise/dbcrypt/dbcrypt.go
@@ -52,9 +52,10 @@ const MagicPrefix = "dbcrypt-"
 const sentinelValue = "coder"
 
 var (
-	ErrNotEnabled = xerrors.New("encryption is not enabled")
-	b64encode     = base64.StdEncoding.EncodeToString
-	b64decode     = base64.StdEncoding.DecodeString
+	ErrNotEnabled       = xerrors.New("encryption is not enabled")
+	ErrSentinelMismatch = xerrors.New("database is already encrypted under a different key")
+	b64encode           = base64.StdEncoding.EncodeToString
+	b64decode           = base64.StdEncoding.DecodeString
 )
 
 // DecryptFailedError is returned when decryption fails.
@@ -266,7 +267,7 @@ func ensureEncrypted(ctx context.Context, dbc *dbCrypt) error {
 		}
 
 		if val != "" && val != sentinelValue {
-			return xerrors.Errorf("database is already encrypted with a different key")
+			return ErrSentinelMismatch
 		}
 
 		// Mark the database as officially having been touched by the new cipher.
diff --git a/enterprise/dbcrypt/dbcrypt_test.go b/enterprise/dbcrypt/dbcrypt_test.go
@@ -208,8 +208,8 @@ func TestNew(t *testing.T) {
 		// When: we init the crypt db with no access to the old cipher
 		cipher2 := initCipher(t)
 		_, err = dbcrypt.New(ctx, rawDB, dbcrypt.NewCiphers(cipher2))
-		// Then: an error is returned
-		require.ErrorContains(t, err, "database is already encrypted with a different key")
+		// Then: a special error is returned
+		require.ErrorIs(t, err, dbcrypt.ErrSentinelMismatch)
 
 		// And the sentinel value should remain unchanged. For now.
 		rawVal, err := rawDB.GetDBCryptSentinelValue(ctx)

Original file line number	Diff line number	Diff line change
`@@ -52,9 +52,10 @@ const MagicPrefix = "dbcrypt-"`
`52`	`52`	`const sentinelValue = "coder"`
`53`	`53`
`54`	`54`	`var (`
`55`		`- ErrNotEnabled = xerrors.New("encryption is not enabled")`
`56`		`- b64encode = base64.StdEncoding.EncodeToString`
`57`		`- b64decode = base64.StdEncoding.DecodeString`
	`55`	`+ ErrNotEnabled = xerrors.New("encryption is not enabled")`
	`56`	`+ ErrSentinelMismatch = xerrors.New("database is already encrypted under a different key")`
	`57`	`+ b64encode = base64.StdEncoding.EncodeToString`
	`58`	`+ b64decode = base64.StdEncoding.DecodeString`
`58`	`59`	`)`
`59`	`60`
`60`	`61`	`// DecryptFailedError is returned when decryption fails.`
`@@ -266,7 +267,7 @@ func ensureEncrypted(ctx context.Context, dbc *dbCrypt) error {`
`266`	`267`	`}`
`267`	`268`
`268`	`269`	`if val != "" && val != sentinelValue {`
`269`		`- return xerrors.Errorf("database is already encrypted with a different key")`
	`270`	`+ return ErrSentinelMismatch`
`270`	`271`	`}`
`271`	`272`
`272`	`273`	`// Mark the database as officially having been touched by the new cipher.`